[re_kernel] fix lineage-22.1-4.19 kernel

AndroidPatch · Jan 16, 2025 · be7513e · be7513e
1 parent 3d0e7f9
commit be7513e
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 15 deletions.
diff --git a/src/re_kernel/Makefile b/src/re_kernel/Makefile
@@ -1,4 +1,4 @@
-MYKPM_VERSION := 6.0.10
+MYKPM_VERSION := 6.0.11
 
 ifndef KP_DIR
     KP_DIR = ../..

diff --git a/src/re_kernel/re_kernel.c b/src/re_kernel/re_kernel.c
@@ -524,17 +524,20 @@ static long calculate_offsets() {
             break;
         } else if (binder_node_has_async_transaction_offset == UZERO && (binder_proc_transaction_src[i] & MASK_STRB) == INST_STRB) {
             uint64_t imm12 = bits32(binder_proc_transaction_src[i], 21, 10);
-            binder_node_has_async_transaction_offset = sign64_extend((imm12), 16u);         // 0x6B
-            binder_node_ptr_offset = binder_node_has_async_transaction_offset - 0x13;       // 0x58
-            binder_node_cookie_offset = binder_node_has_async_transaction_offset - 0xB;     // 0x60
-            binder_node_async_todo_offset = binder_node_has_async_transaction_offset + 0x5; // 0x70
+            uint64_t offset = sign64_extend((imm12), 16u);
+            if (offset < 0x6B || offset > 0x7B)
+                continue;
+            binder_node_has_async_transaction_offset = offset; // 0x6B
+            binder_node_ptr_offset = offset - 0x13;            // 0x58
+            binder_node_cookie_offset = offset - 0xB;          // 0x60
+            binder_node_async_todo_offset = offset + 0x5;      // 0x70
             // 目前只有 harmony 内核需要特殊设置
-            if (binder_node_has_async_transaction_offset == 0x6B) {
-                binder_node_lock_offset = 0x4;
-                binder_transaction_from_offset = 0x20;
-            } else if (binder_node_has_async_transaction_offset == 0x7B) {
+            if (offset == 0x7B) {
                 binder_node_lock_offset = 0x8;
                 binder_transaction_from_offset = 0x28;
+            } else {
+                binder_node_lock_offset = 0x4;
+                binder_transaction_from_offset = 0x20;
             }
         } else if (binder_transaction_buffer_offset == UZERO && (binder_proc_transaction_src[i] & MASK_LDR_64_Rn_X0) == INST_LDR_64_Rn_X0) {
             uint64_t imm12 = bits32(binder_proc_transaction_src[i], 21, 10);
@@ -598,18 +601,18 @@ static long calculate_offsets() {
     void (*binder_transaction)(struct binder_proc* proc, struct binder_thread* thread, struct binder_transaction_data* tr, int reply, binder_size_t extra_buffers_size);
     lookup_name(binder_transaction);
 
-    bool mov_x22_x0 = false;
+    bool mov_x22x23_x0 = false;
     uint32_t* binder_transaction_src = (uint32_t*)binder_transaction;
     for (u32 i = 0; i < 0x20; i++) {
 #ifdef CONFIG_DEBUG
         logkm("binder_transaction %x %llx\n", i, binder_transaction_src[i]);
 #endif /* CONFIG_DEBUG */
         if (binder_transaction_src[i] == ARM64_RET) {
             break;
-        } else if (binder_transaction_src[i] == 0xAA0003F6u) { // mov x22, x0
-            mov_x22_x0 = true;
+        } else if ((binder_transaction_src[i] & MASK_MOV_Rm_x0_Rd_x22x23) == INST_MOV_Rm_x0_Rd_x22x23) { // mov x22, x0 OR mov x23, x0
+            mov_x22x23_x0 = true;
         } else if (((binder_transaction_src[i] & MASK_LDR_64_Rn_X0) == INST_LDR_64_Rn_X0 && (binder_transaction_src[i] & MASK_LDR_64_Rn_X0_Rt_X0) != INST_LDR_64_Rn_X0_Rt_X0)
-            || (mov_x22_x0 && (binder_transaction_src[i] & MASK_LDR_64_X22) == INST_LDR_64_X22)) {
+            || (mov_x22x23_x0 && (binder_transaction_src[i] & MASK_LDR_64_X22X23) == INST_LDR_64_X22X23)) {
             uint64_t imm12 = bits32(binder_transaction_src[i], 21, 10);
             binder_proc_context_offset = sign64_extend((imm12 << 0b11u), 16u); // 0x240
             binder_proc_inner_lock_offset = binder_proc_context_offset + 0x8;  // 0x248
@@ -647,6 +650,9 @@ static long calculate_offsets() {
             } else {
                 binder_proc_alloc_offset = sign64_extend((imm12), 16u);        // 0x1A8
             }
+            if (binder_proc_alloc_offset > binder_proc_context_offset) {
+                continue;
+            }
             break;
         }
     }

diff --git a/src/re_kernel/re_utils.h b/src/re_kernel/re_utils.h
@@ -32,7 +32,7 @@ typedef uint32_t inst_mask_t;
 #define INST_LDR_64_ 0xF9400000u
 #define INST_LDR_64_Rn_X0 0xF9400000u
 #define INST_LDR_64_Rn_X0_Rt_X0 0xF9400000u
-#define INST_LDR_64_X22 0xF94002C0u
+#define INST_LDR_64_X22X23 0xF94002C0u
 #define INST_LDR_64_SP 0xF94003E0u
 #define INST_LDRB 0x39400000u
 #define INST_LDRB_X0 0x39400000u
@@ -41,10 +41,12 @@ typedef uint32_t inst_mask_t;
 #define INST_LDRSH 0x79800000u
 #define INST_LDRSH_64_ 0x79800000u
 #define INST_MOV_Rd_0 0x2A0003E0u
+#define INST_MOV_Rm_x0_Rd_x22x23 0xAA0003F6u
 #define INST_MOV_Rm_1_Rn_WZR 0x2A0103E0u
 #define INST_MOV_Rm_2_Rn_WZR 0x2A0203E0u
 #define INST_MOV_Rm_3_Rn_WZR 0x2A0303E0u
 #define INST_MOV_Rm_4_Rn_WZR 0x2A0403E0u
+#define INST_MOV_Rm_WZR 0x2A1F03E0u
 #define INST_MRS_SP_EL0 0xD5384100u
 #define INST_STR_Rn_SP_Rt_3 0xB90003E3u
 #define INST_STR_Rn_SP_Rt_4 0xB90003E4u
@@ -70,7 +72,7 @@ typedef uint32_t inst_mask_t;
 #define MASK_LDR_64_ 0xFFC00000u
 #define MASK_LDR_64_Rn_X0 0xFFC003E0u
 #define MASK_LDR_64_Rn_X0_Rt_X0 0xFFC003FFu
-#define MASK_LDR_64_X22 0xFFC003E0u
+#define MASK_LDR_64_X22X23 0xFFC003C0u
 #define MASK_LDR_64_SP 0xFFC003E0u
 #define MASK_LDRB 0xFFC00000u
 #define MASK_LDRB_X0 0xFFC003E0u
@@ -79,10 +81,12 @@ typedef uint32_t inst_mask_t;
 #define MASK_LDRSH 0xFF800000u
 #define MASK_LDRSH_64_ 0xFFC00000u
 #define MASK_MOV_Rd_0 0x7FE0FFFFu
+#define MASK_MOV_Rm_x0_Rd_x22x23 0xFFFFFFFEu
 #define MASK_MOV_Rm_1_Rn_WZR 0x7FFFFFE0u
 #define MASK_MOV_Rm_2_Rn_WZR 0x7FFFFFE0u
 #define MASK_MOV_Rm_3_Rn_WZR 0x7FFFFFE0u
 #define MASK_MOV_Rm_4_Rn_WZR 0x7FFFFFE0u
+#define MASK_MOV_Rm_WZR 0x7FFFFFE0u
 #define MASK_MRS_SP_EL0 0xFFFFFFE0u
 #define MASK_STR_Rn_SP_Rt_3 0xBFC003FFu
 #define MASK_STR_Rn_SP_Rt_4 0xBFC003FFu